Security Enhancements

BIND 9 has several security enhancements.

TSIG

TSIG is how BIND signs transactions. In Chapter 9, "Dynamic DNS," I explained how TSIG is used to sign dynamic update requests. BIND 9 supports TSIG for queries, the NOTIFY protocol, and zone transfers. It enables you to know who sent the information and that it has not been changed in transit.

BIND 9's software for creating keys has been renamed and changed somewhat. Whereas the BIND 8 version of the key generator required a FQDN for host keys, the BIND 9 documentation recommends naming keys after both the hosts that share it. Say I want to make a shared key for ns.penguin.bv and ns.walruss.bv. However, because the names are identical, I use the next part of their names, which makes sense in this context:

 $ dnssec-keygen -a hmac-md5 -b 512 -n HOST penguin-walruss Kns-rms.+157+02485 

In the file Kpenguin-walruss.+157+02485.private, you will find the key (broken in two to fit the page):

 Private-key-format: v1.2 Algorithm: 157 (HMAC_MD5) Key: EVYYnfezPJnaVhs3arhHFeyhVuSzzYrAtySpIEG4HfL8IvPqGqZ6      iQxg1FzffnL1RXXn66e51WTJmOr+5tLDuw== 

This is suitable for inclusion in a named.conf key statement (also broken in two, so you must concatenate the line):

 key penguin-walruss {     algorithm "hmac-md5";     secret "EVYYnfezPJnaVhs3arhHFeyhVuSzzYrAtySpIEG4HfL8IvPqGqZ6             iQxg1FzffnL1RXXn66e51WTJmOr+5tLDuw=="; }; 

Because these are shared secrets, don't store them in world-readable files!

Using keys for dynamic updates is the same as before. But for server-to-server communication, more configuration is necessary. On ns.penguin.bv, to configure signed communication with ns.walruss.bv, I set up the following:

 server 10.1.0.2 {     keys { penguin-walruss; }; }; 

In BIND 8, the keys option for the server statement was available, but not active. After setting up the symmetric statement on ns.walruss.bv, we're ready to let named use TSIG on communication between the two servers.

DNSSEC

The basic DNSSEC is described in RFC2535. With BIND 9, you'll see DNSSEC fully implemented. Although DNSSEC is available in the BIND 9.0.0rc1 release, DNSSEC is still very much a work in progress, both on the specification and the implementation sides. For now, DNSSEC is not for general consumption. Look for further documentation in the ARM, or in the next edition of this book.